Created
April 9, 2015 10:57
-
-
Save jvrmaia/ed12e014fd3bf82f89d7 to your computer and use it in GitHub Desktop.
ssl manager
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| DATE=$(date +%s) | |
| DEFAULT_KEYSTORE_STOREPASS=vmware | |
| KEYSTORE_STOREPASS=`grep keystorePass /usr/lib/loginsight/application/etc/3rd_config/server.xml 2>/dev/null | gawk -F'"' '{print $4}' || echo ${DEFAULT_KEYSTORE_STOREPASS}` | |
| TOMCAT=$(ls /usr/lib/loginsight/application/3rd_party 2>/dev/null | grep tomcat) | |
| [ ! -d "/usr/lib/loginsight/application/3rd_party/${TOMCAT}" ] && \ | |
| echo >/dev/stderr "ERROR: Unable to locate Tomcat directory, you must run this on the Log Insight virtual appliance...exiting" && \ | |
| exit 255 | |
| backup() { | |
| BACKUPDIR="/tmp/li-ssl-certs" | |
| BACKUPTAR="/tmp/li-ssl-certs.tar.gz" | |
| for X in $BACKUPDIR $BACKUPTAR; do | |
| if [ -d "$X" -o -f "$X" ]; then | |
| echo "ERROR: $X already exists. Please remove and try again." | |
| exit 1 | |
| fi | |
| done | |
| mkdir $BACKUPDIR | |
| cp /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom* $BACKUPDIR | |
| cp /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore* $BACKUPDIR 2>&1 | |
| cp /usr/lib/loginsight/application/etc/truststore $BACKUPDIR 2>&1 | |
| check | |
| tar cfz /tmp/li-ssl-certs.tar.gz $BACKUPDIR | |
| rm -rf $BACKUPDIR | |
| echo "SSL certificates where successfully backed up to /tmp/li-ssl-certs.tar.gz" | |
| exit 0 | |
| } | |
| check() { | |
| if [ "$1" == "--short" ]; then | |
| if [ ! -z "$2" ]; then | |
| echo $KEYSTORE_STOREPASS | /usr/java/default/bin/keytool -list -keystore $2 | grep "Certificate fingerprint" | awk '{split($0,a," "); print a[4]}' | |
| else | |
| echo $KEYSTORE_STOREPASS | /usr/java/default/bin/keytool -list -keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | grep "Certificate fingerprint" | awk '{split($0,a," "); print a[4]}' | |
| fi | |
| exit 0 | |
| fi | |
| if [ -z "$BACKUPDIR" ]; then | |
| echo "=== Keystore contents =========================================================================================" | |
| echo "" | |
| echo $KEYSTORE_STOREPASS | /usr/java/default/bin/keytool -list -keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | |
| fi | |
| ALIAS=$(echo $KEYSTORE_STOREPASS | /usr/java/default/bin/keytool -list -keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | grep PrivateKeyEntry | awk '{split($0,a,","); print a[1]}') | |
| if [ -z "$BACKUPDIR" ]; then echo ""; fi | |
| echo $KEYSTORE_STOREPASS | /usr/java/default/bin/keytool -alias $ALIAS -export -file /tmp/$ALIAS.crt -keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | |
| if [ -z "$BACKUPDIR" ]; then | |
| echo "=== Certificate contents ======================================================================================" | |
| echo "" | |
| /usr/java/default/bin/keytool -printcert -v -file /tmp/$ALIAS.crt | |
| rm -rf /tmp/$ALIAS.crt | |
| exit 0 | |
| else | |
| cp /tmp/$ALIAS.crt $BACKUPDIR | |
| rm -rf /tmp/$ALIAS.crt | |
| return | |
| fi | |
| } | |
| replace() { | |
| if [ "$1" != "--force" ]; then | |
| echo "USAGE: $0 --replace --force" | |
| echo "WARNING: This command will restart the Log Insight service." | |
| echo " This command should be run on every node in a cluster." | |
| exit 2 | |
| fi | |
| echo -n "Backing up existing certificates..." | |
| cp /usr/lib/loginsight/application/etc/3rd_config/keystore /usr/lib/loginsight/application/etc/3rd_config/keystore.$DATE 2>&1 | |
| KEYSTORE=$(ls /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore) | |
| cp $KEYSTORE $KEYSTORE.$DATE 2>&1 | |
| cp /usr/lib/loginsight/application/etc/truststore /usr/lib/loginsight/application/etc/truststore.$DATE 2>&1 | |
| echo "done" | |
| echo -n "Generating self-signed SSL certificate keystore..." | |
| /usr/java/default/bin/keytool -genkey -alias loginsight -keyalg RSA -validity 3650 -keysize 4096 -keystore /tmp/keystore -keypass $KEYSTORE_STOREPASS -storepass $KEYSTORE_STOREPASS -dname "CN=VMware vRealize Log Insight, OU=vRealize Log Insight, O=VMware\, Inc., L=Palo Alto, S=California, C=US" 2>&1 | |
| echo "done" | |
| echo -n "Exporting self-signed SSL certificate..." | |
| /usr/java/default/bin/keytool -export -alias loginsight -file /tmp/loginsight.cer -keystore /tmp/keystore -storepass $KEYSTORE_STOREPASS >/dev/null 2>&1 | |
| echo "done" | |
| echo -n "Generating certificate authority..." | |
| /usr/java/default/bin/keytool -import -noprompt -alias loginsight -v -trustcacerts -file /tmp/loginsight.cer -keystore /tmp/truststore -keypass $KEYSTORE_STOREPASS -storepass $KEYSTORE_STOREPASS >/dev/null 2>&1 | |
| echo "done" | |
| echo -n "Moving certificate stores into place..." | |
| cp /tmp/keystore /usr/lib/loginsight/application/etc/3rd_config/keystore | |
| mv /tmp/keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | |
| mv /tmp/truststore /usr/lib/loginsight/application/etc/truststore | |
| echo "done" | |
| echo -n "Cleaning up exported SSL certificate..." | |
| rm -rf /tmp/loginsight.cer | |
| echo "done" | |
| service loginsight restart | |
| exit 0 | |
| } | |
| restore() { | |
| SHA1=$(check --short) | |
| SHA2=$(check --short /usr/lib/loginsight/application/etc/3rd_config/keystore) | |
| if [ "$SHA1" == "$SHA2" ]; then echo "Default certificate already in place...exiting"; exit 2; fi | |
| if [ "$1" != "--force" ]; then | |
| echo "USAGE: $0 --restore --force" | |
| echo "WARNING: This command will restart the Log Insight service." | |
| echo " This command should be run on every node in a cluster." | |
| exit 2 | |
| fi | |
| echo -n "Backing up existing certificate..." | |
| cp /usr/lib/loginsight/application/etc/3rd_config/keystore /usr/lib/loginsight/application/etc/3rd_config/keystore.$DATE 2>&1 | |
| echo "done" | |
| echo -n "Restoring default certificate..." | |
| cp /usr/lib/loginsight/application/etc/3rd_config/keystore /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/keystore | |
| echo "done" | |
| service loginsight restart | |
| exit 0 | |
| } | |
| upload() { | |
| if [ "$2" != "--force" ]; then | |
| echo "USAGE: $0 --upload <pem> --force" | |
| echo "WARNING: This command will restart the Log Insight service." | |
| echo " This command should be run on every node in a cluster." | |
| exit 2 | |
| fi | |
| echo -n "Checking for PEM file..." | |
| PEM=$1 | |
| if [ ! -f "$PEM" ]; then | |
| echo "file specified not found" | |
| exit 1 | |
| fi | |
| echo "done" | |
| echo -n "Checking for previously uploaded certificate..." | |
| CUSTOM=$(ls /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem) | |
| if [ -f "$CUSTOM" ]; then | |
| echo "found" | |
| echo -n "Backing up previously uploaded certificate..." | |
| cp /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem.$DATE | |
| cp /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom-key.pem /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom-key.pem.$DATE | |
| echo "done" | |
| else | |
| echo "not found" | |
| fi | |
| echo -n "Attempting to install new certificate..." | |
| cp $PEM /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem | |
| /usr/lib/loginsight/application/sbin/custom-ssl-cerf 2>&1 | |
| if [ "$?" != "1" ]; then | |
| echo "done" | |
| service loginsight restart | |
| exit 0 | |
| else | |
| echo "" | |
| echo "Verify that your custom SSL certificate meets the following requirements." | |
| echo "" | |
| echo "1. The certificate file contains both a valid private key and a valid certificate chain." | |
| echo "2. The private key is generated by the RSA or the DSA algorithm." | |
| echo "3. The private key is not encrypted by a pass phrase." | |
| echo "4. If the certificate is signed by a chain of other certificates, all other certificates must be included in the certificate file that you plan to import." | |
| echo "5. All the certificates and the private key that are included in the certificate file are must be PEM-encoded. DER-encoded certificates and private keys are not supported." | |
| echo "6. All the certificates and the private key that are included in the certificate file must be in the PEM format. Certificates in the PFX, PKCS12, PKCS7, or other formats are not supported." | |
| exit 1 | |
| fi | |
| } | |
| func=$(echo $1 | awk '{split($0,a,"-"); print a[3]}') | |
| $func $2 $3 2>/dev/null | |
| echo "USAGE: $0 [--backup|--check [--short]|--replace|--restore|--upload <pem>]" | |
| echo "WHERE:" | |
| echo " --backup Backs up all keystore and SSL certificate information including" | |
| echo " default and custom certificates." | |
| echo " --check [--short] Prints the current keystore and SSL certificate information. Use" | |
| echo " the --short flag to just return the certificate SHA1 (most useful" | |
| echo " when ensuring all nodes in a cluster have the same certificate)." | |
| echo " --replace Creates and installs a new, self-signed SSL certificate. THIS" | |
| echo " COMMAND RESTARTS LOG INSIGHT." | |
| echo " --restore Puts the default, self-signed SSL certificate that originally came" | |
| echo " with the VA back. THIS COMMAND RESTARTS LOG INSIGHT." | |
| echo " --upload <pem> Attempts to install the specified PEM certificate. THIS COMMAND" | |
| echo " RESTARTS LOG INSIGHT." | |
| exit 2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
source http://sflanders.net/2015/04/07/log-insight-ssl-certificate-management/